private static LocalOutgoingServerSession attemptDialbackOverTLS(
     Connection connection, XMPPPacketReader reader, String domain, String hostname, String id) {
   final Logger log =
       LoggerFactory.getLogger(
           LocalOutgoingServerSession.class.getName() + "['" + hostname + "']");
   if (ServerDialback.isEnabled() || ServerDialback.isEnabledForSelfSigned()) {
     log.debug("Trying to connecting using dialback over TLS.");
     ServerDialback method = new ServerDialback(connection, domain);
     OutgoingServerSocketReader newSocketReader = new OutgoingServerSocketReader(reader);
     if (method.authenticateDomain(newSocketReader, domain, hostname, id)) {
       log.debug("Dialback over TLS was successful.");
       StreamID streamID = new BasicStreamIDFactory().createStreamID(id);
       LocalOutgoingServerSession session =
           new LocalOutgoingServerSession(domain, connection, newSocketReader, streamID);
       connection.init(session);
       // Set the hostname as the address of the session
       session.setAddress(new JID(null, hostname, null));
       return session;
     } else {
       log.debug("Dialback over TLS failed");
       return null;
     }
   } else {
     log.debug("Skipping server dialback attempt as it has been disabled by local configuration.");
     return null;
   }
 }
  /**
   * Creates a new session that will receive packets. The new session will be authenticated before
   * being returned. If the authentication process fails then the answer will be <tt>null</tt>.
   *
   * <p>
   *
   * @param serverName hostname of this server.
   * @param reader reader on the new established connection with the remote server.
   * @param connection the new established connection with the remote server.
   * @return a new session that will receive packets or null if a problem occured while
   *     authenticating the remote server or when acting as the Authoritative Server during a Server
   *     Dialback authentication process.
   * @throws org.xmlpull.v1.XmlPullParserException if an error occurs while parsing the XML.
   * @throws java.io.IOException if an input/output error occurs while using the connection.
   */
  public static LocalIncomingServerSession createSession(
      String serverName, XMPPPacketReader reader, SocketConnection connection)
      throws XmlPullParserException, IOException {
    XmlPullParser xpp = reader.getXPPParser();

    String version = xpp.getAttributeValue("", "version");
    int[] serverVersion = version != null ? decodeVersion(version) : new int[] {0, 0};

    try {
      // Get the stream ID for the new session
      StreamID streamID = SessionManager.getInstance().nextStreamID();
      // Create a server Session for the remote server
      LocalIncomingServerSession session =
          SessionManager.getInstance().createIncomingServerSession(connection, streamID);

      // Send the stream header
      StringBuilder openingStream = new StringBuilder();
      openingStream.append("<stream:stream");
      openingStream.append(" xmlns:db=\"jabber:server:dialback\"");
      openingStream.append(" xmlns:stream=\"http://etherx.jabber.org/streams\"");
      openingStream.append(" xmlns=\"jabber:server\"");
      openingStream.append(" from=\"").append(serverName).append("\"");
      openingStream.append(" id=\"").append(streamID).append("\"");
      openingStream.append(" version=\"1.0\">");
      connection.deliverRawText(openingStream.toString());

      if (serverVersion[0] >= 1) {
        // Remote server is XMPP 1.0 compliant so offer TLS and SASL to establish the connection
        // (and server dialback)

        // Indicate the TLS policy to use for this connection
        Connection.TLSPolicy tlsPolicy =
            ServerDialback.isEnabled()
                ? Connection.TLSPolicy.optional
                : Connection.TLSPolicy.required;
        boolean hasCertificates = false;
        try {
          hasCertificates = SSLConfig.getKeyStore().size() > 0;
        } catch (Exception e) {
          Log.error(e.getMessage(), e);
        }
        if (Connection.TLSPolicy.required == tlsPolicy && !hasCertificates) {
          Log.error(
              "Server session rejected. TLS is required but no certificates " + "were created.");
          return null;
        }
        connection.setTlsPolicy(hasCertificates ? tlsPolicy : Connection.TLSPolicy.disabled);
      }

      // Indicate the compression policy to use for this connection
      String policyName =
          JiveGlobals.getProperty(
              "xmpp.server.compression.policy", Connection.CompressionPolicy.disabled.toString());
      Connection.CompressionPolicy compressionPolicy =
          Connection.CompressionPolicy.valueOf(policyName);
      connection.setCompressionPolicy(compressionPolicy);

      StringBuilder sb = new StringBuilder();

      if (serverVersion[0] >= 1) {
        // Remote server is XMPP 1.0 compliant so offer TLS and SASL to establish the connection
        // (and server dialback)
        // Don't offer stream-features to pre-1.0 servers, as it confuses them. Sending features to
        // Openfire < 3.7.1 confuses it too - OF-443)
        sb.append("<stream:features>");

        if (JiveGlobals.getBooleanProperty("xmpp.server.tls.enabled", true)) {
          sb.append("<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\">");
          if (!ServerDialback.isEnabled()) {
            // Server dialback is disabled so TLS is required
            sb.append("<required/>");
          }
          sb.append("</starttls>");
        }

        // Include available SASL Mechanisms
        sb.append(SASLAuthentication.getSASLMechanisms(session));

        if (ServerDialback.isEnabled()) {
          // Also offer server dialback (when TLS is not required). Server dialback may be offered
          // after TLS has been negotiated and a self-signed certificate is being used
          sb.append("<dialback xmlns=\"urn:xmpp:features:dialback\"/>");
        }

        sb.append("</stream:features>");
      }

      connection.deliverRawText(sb.toString());

      // Set the domain or subdomain of the local server targeted by the remote server
      session.setLocalDomain(serverName);
      return session;
    } catch (Exception e) {
      Log.error("Error establishing connection from remote server:" + connection, e);
      connection.close();
      return null;
    }
  }
  private static LocalOutgoingServerSession secureAndAuthenticate(
      String hostname,
      SocketConnection connection,
      XMPPPacketReader reader,
      StringBuilder openingStream,
      String domain)
      throws Exception {
    final Logger log =
        LoggerFactory.getLogger(
            LocalOutgoingServerSession.class.getName() + "['" + hostname + "']");
    Element features;
    log.debug("Indicating we want TLS to " + hostname);
    connection.deliverRawText("<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");

    MXParser xpp = reader.getXPPParser();
    // Wait for the <proceed> response
    Element proceed = reader.parseDocument().getRootElement();
    if (proceed != null && proceed.getName().equals("proceed")) {
      log.debug("Negotiating TLS...");
      try {
        //                boolean needed =
        // JiveGlobals.getBooleanProperty(ConnectionSettings.Server.TLS_CERTIFICATE_VERIFY, true) &&
        //
        // JiveGlobals.getBooleanProperty(ConnectionSettings.Server.TLS_CERTIFICATE_CHAIN_VERIFY,
        // true) &&
        //
        // !JiveGlobals.getBooleanProperty(ConnectionSettings.Server.TLS_ACCEPT_SELFSIGNED_CERTS,
        // false);
        connection.startTLS(true);
      } catch (Exception e) {
        log.debug("Got an exception whilst negotiating TLS: " + e.getMessage());
        throw e;
      }
      log.debug("TLS negotiation was successful.");
      if (!SASLAuthentication.verifyCertificates(
          connection.getPeerCertificates(), hostname, true)) {
        log.debug("X.509/PKIX failure on outbound session");
        if (ServerDialback.isEnabled() || ServerDialback.isEnabledForSelfSigned()) {
          log.debug("Will continue with dialback.");
        } else {
          log.warn("No TLS auth, but TLS auth required.");
          return null;
        }
      }

      // TLS negotiation was successful so initiate a new stream
      connection.deliverRawText(openingStream.toString());

      // Reset the parser to use the new secured reader
      xpp.setInput(
          new InputStreamReader(
              connection.getTLSStreamHandler().getInputStream(), StandardCharsets.UTF_8));
      // Skip new stream element
      for (int eventType = xpp.getEventType(); eventType != XmlPullParser.START_TAG; ) {
        eventType = xpp.next();
      }
      // Get the stream ID
      String id = xpp.getAttributeValue("", "id");
      // Get new stream features
      features = reader.parseDocument().getRootElement();
      if (features != null) {
        // Check if we can use stream compression
        final Connection.CompressionPolicy compressionPolicy =
            connection.getConfiguration().getCompressionPolicy();
        if (Connection.CompressionPolicy.optional == compressionPolicy) {
          // Verify if the remote server supports stream compression
          Element compression = features.element("compression");
          if (compression != null) {
            boolean zlibSupported = false;
            Iterator it = compression.elementIterator("method");
            while (it.hasNext()) {
              Element method = (Element) it.next();
              if ("zlib".equals(method.getTextTrim())) {
                zlibSupported = true;
              }
            }
            if (zlibSupported) {
              log.debug("Suppressing request to perform compression; unsupported in this version.");
              zlibSupported = false;
            }
            if (zlibSupported) {
              log.debug("Requesting stream compression (zlib).");
              connection.deliverRawText(
                  "<compress xmlns='http://jabber.org/protocol/compress'><method>zlib</method></compress>");
              // Check if we are good to start compression
              Element answer = reader.parseDocument().getRootElement();
              if ("compressed".equals(answer.getName())) {
                // Server confirmed that we can use zlib compression
                connection.addCompression();
                connection.startCompression();
                log.debug("Stream compression was successful.");
                // Stream compression was successful so initiate a new stream
                connection.deliverRawText(openingStream.toString());
                // Reset the parser to use stream compression over TLS
                ZInputStream in =
                    new ZInputStream(connection.getTLSStreamHandler().getInputStream());
                in.setFlushMode(JZlib.Z_PARTIAL_FLUSH);
                xpp.setInput(new InputStreamReader(in, StandardCharsets.UTF_8));
                // Skip the opening stream sent by the server
                for (int eventType = xpp.getEventType(); eventType != XmlPullParser.START_TAG; ) {
                  eventType = xpp.next();
                }
                // Get new stream features
                features = reader.parseDocument().getRootElement();
                if (features == null) {
                  log.debug("Error, EXTERNAL SASL was not offered.");
                  return null;
                }
              } else {
                log.debug("Stream compression was rejected by " + hostname);
              }
            } else {
              log.debug("Stream compression found but zlib method is not supported by " + hostname);
            }
          } else {
            log.debug("Stream compression not supported by " + hostname);
          }
        }

        // Bookkeeping: determine what functionality the remote server offers.
        boolean saslEXTERNALoffered = false;
        if (features != null) {
          if (features.element("mechanisms") != null) {
            Iterator<Element> it = features.element("mechanisms").elementIterator();
            while (it.hasNext()) {
              Element mechanism = it.next();
              if ("EXTERNAL".equals(mechanism.getTextTrim())) {
                saslEXTERNALoffered = true;
                break;
              }
            }
          }
        }
        final boolean dialbackOffered = features.element("dialback") != null;

        log.debug("Offering dialback functionality: {}", dialbackOffered);
        log.debug("Offering EXTERNAL SASL: {}", saslEXTERNALoffered);

        LocalOutgoingServerSession result = null;
        // first, try SASL
        if (saslEXTERNALoffered) {
          result =
              attemptSASLexternal(connection, xpp, reader, domain, hostname, id, openingStream);
        }
        if (result == null) {
          // SASL unavailable or failed, try dialback.
          result = attemptDialbackOverTLS(connection, reader, domain, hostname, id);
        }

        return result;
      } else {
        log.debug(
            "Cannot create outgoing server session, as neither SASL mechanisms nor SERVER DIALBACK were offered by "
                + hostname);
        return null;
      }
    } else {
      log.debug("Error, <proceed> was not received!");
      return null;
    }
  }
  /**
   * Establishes a new outgoing session to a remote server. If the remote server supports TLS and
   * SASL then the new outgoing connection will be secured with TLS and authenticated using SASL.
   * However, if TLS or SASL is not supported by the remote server or if an error occured while
   * securing or authenticating the connection using SASL then server dialback method will be used.
   *
   * @param domain the local domain to authenticate with the remote server.
   * @param hostname the hostname of the remote server.
   * @param port default port to use to establish the connection.
   * @return new outgoing session to a remote server.
   */
  private static LocalOutgoingServerSession createOutgoingSession(
      String domain, String hostname, int port) {

    String localDomainName = XMPPServer.getInstance().getServerInfo().getXMPPDomain();
    boolean useTLS = JiveGlobals.getBooleanProperty(ConnectionSettings.Server.TLS_ENABLED, true);
    RemoteServerConfiguration configuration = RemoteServerManager.getConfiguration(hostname);
    if (configuration != null) {
      // TODO Use the specific TLS configuration for this remote server
      // useTLS = configuration.isTLSEnabled();
    }

    // Connect to remote server using XMPP 1.0 (TLS + SASL EXTERNAL or TLS + server dialback or
    // server dialback)
    String realHostname = null;
    int realPort = port;
    Socket socket = null;
    // Get a list of real hostnames to connect to using DNS lookup of the specified hostname
    List<DNSUtil.HostAddress> hosts = DNSUtil.resolveXMPPDomain(hostname, port);
    for (Iterator<DNSUtil.HostAddress> it = hosts.iterator(); it.hasNext(); ) {
      try {
        socket = new Socket();
        DNSUtil.HostAddress address = it.next();
        realHostname = address.getHost();
        realPort = address.getPort();
        Log.debug(
            "LocalOutgoingServerSession: OS - Trying to connect to "
                + hostname
                + ":"
                + port
                + "(DNS lookup: "
                + realHostname
                + ":"
                + realPort
                + ")");
        // Establish a TCP connection to the Receiving Server
        socket.connect(
            new InetSocketAddress(realHostname, realPort), RemoteServerManager.getSocketTimeout());
        Log.debug(
            "LocalOutgoingServerSession: OS - Plain connection to "
                + hostname
                + ":"
                + port
                + " successful");
        break;
      } catch (Exception e) {
        Log.warn(
            "Error trying to connect to remote server: "
                + hostname
                + "(DNS lookup: "
                + realHostname
                + ":"
                + realPort
                + "): "
                + e.toString());
        try {
          if (socket != null) {
            socket.close();
          }
        } catch (IOException ex) {
          Log.debug(
              "Additional exception while trying to close socket when connection to remote server failed: "
                  + ex.toString());
        }
      }
    }
    if (!socket.isConnected()) {
      return null;
    }

    SocketConnection connection = null;
    try {
      connection =
          new SocketConnection(XMPPServer.getInstance().getPacketDeliverer(), socket, false);

      // Send the stream header
      StringBuilder openingStream = new StringBuilder();
      openingStream.append("<stream:stream");
      openingStream.append(" xmlns:db=\"jabber:server:dialback\"");
      openingStream.append(" xmlns:stream=\"http://etherx.jabber.org/streams\"");
      openingStream.append(" xmlns=\"jabber:server\"");
      openingStream.append(" from=\"").append(localDomainName).append("\""); // OF-673
      openingStream.append(" to=\"").append(hostname).append("\"");
      openingStream.append(" version=\"1.0\">");
      connection.deliverRawText(openingStream.toString());

      // Set a read timeout (of 5 seconds) so we don't keep waiting forever
      int soTimeout = socket.getSoTimeout();
      socket.setSoTimeout(5000);

      XMPPPacketReader reader = new XMPPPacketReader();
      reader
          .getXPPParser()
          .setInput(new InputStreamReader(socket.getInputStream(), StandardCharsets.UTF_8));
      // Get the answer from the Receiving Server
      XmlPullParser xpp = reader.getXPPParser();
      for (int eventType = xpp.getEventType(); eventType != XmlPullParser.START_TAG; ) {
        eventType = xpp.next();
      }

      String serverVersion = xpp.getAttributeValue("", "version");
      String id = xpp.getAttributeValue("", "id");

      // Check if the remote server is XMPP 1.0 compliant
      if (serverVersion != null && decodeVersion(serverVersion)[0] >= 1) {
        // Restore default timeout
        socket.setSoTimeout(soTimeout);
        // Get the stream features
        Element features = reader.parseDocument().getRootElement();
        if (features != null) {
          // Check if TLS is enabled
          if (useTLS && features.element("starttls") != null) {
            // Secure the connection with TLS and authenticate using SASL
            LocalOutgoingServerSession answer;
            answer = secureAndAuthenticate(hostname, connection, reader, openingStream, domain);
            if (answer != null) {
              // Everything went fine so return the secured and
              // authenticated connection
              return answer;
            }
          }
          // Check if we are going to try server dialback (XMPP 1.0)
          else if (ServerDialback.isEnabled() && features.element("dialback") != null) {
            Log.debug(
                "LocalOutgoingServerSession: OS - About to try connecting using server dialback XMPP 1.0 with: "
                    + hostname);
            ServerDialback method = new ServerDialback(connection, domain);
            OutgoingServerSocketReader newSocketReader = new OutgoingServerSocketReader(reader);
            if (method.authenticateDomain(newSocketReader, domain, hostname, id)) {
              Log.debug(
                  "LocalOutgoingServerSession: OS - SERVER DIALBACK XMPP 1.0 with "
                      + hostname
                      + " was successful");
              StreamID streamID = new BasicStreamIDFactory().createStreamID(id);
              LocalOutgoingServerSession session =
                  new LocalOutgoingServerSession(domain, connection, newSocketReader, streamID);
              connection.init(session);
              // Set the hostname as the address of the session
              session.setAddress(new JID(null, hostname, null));
              return session;
            } else {
              Log.debug(
                  "LocalOutgoingServerSession: OS - Error, SERVER DIALBACK with "
                      + hostname
                      + " failed");
            }
          }
        } else {
          Log.debug("LocalOutgoingServerSession: OS - Error, <starttls> was not received");
        }
      }
      // Something went wrong so close the connection and try server dialback over
      // a plain connection
      if (connection != null) {
        connection.close();
      }
    } catch (SSLHandshakeException e) {
      Log.debug(
          "LocalOutgoingServerSession: Handshake error while creating secured outgoing session to remote "
              + "server: "
              + hostname
              + "(DNS lookup: "
              + realHostname
              + ":"
              + realPort
              + "):",
          e);
      // Close the connection
      if (connection != null) {
        connection.close();
      }
    } catch (Exception e) {
      Log.error(
          "Error creating secured outgoing session to remote server: "
              + hostname
              + "(DNS lookup: "
              + realHostname
              + ":"
              + realPort
              + ")",
          e);
      // Close the connection
      if (connection != null) {
        connection.close();
      }
    }

    if (ServerDialback.isEnabled()) {
      Log.debug(
          "LocalOutgoingServerSession: OS - Going to try connecting using server dialback with: "
              + hostname);
      // Use server dialback (pre XMPP 1.0) over a plain connection
      return new ServerDialback().createOutgoingSession(domain, hostname, port);
    }
    return null;
  }